This adds CIL and checkpolicy support for the (portcon dccp ...) statement. The kernel already handles name_bind and name_connect permissions for the dccp_socket class. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
6.9 KiB
Network Labeling Statements
ipaddr
Declares a named IP address in IPv4 or IPv6 format that may be referenced by other CIL statements (i.e. netifcon
).
Notes:
-
CIL statements utilising an IP address may reference a named IP address or use an anonymous address, the examples will show each option.
-
IP Addresses may be declared without a previous declaration by enclosing within parentheses e.g.
(127.0.0.1)
or(::1)
.
Statement definition:
(ipaddr ipaddr_id ip_address)
Where:
|
The |
|
The IP address identifier. |
|
A correctly formatted IP address in IPv4 or IPv6 format. |
Example:
This example declares a named IP address and also passes an 'explicit anonymously declared' IP address to a macro:
(ipaddr netmask_1 255.255.255.0)
(context netlabel_1 (system.user object_r unconfined.object low_low)
(call build_nodecon ((192.168.1.64) netmask_1))
(macro build_nodecon ((ipaddr ARG1) (ipaddr ARG2))
(nodecon ARG1 ARG2 netlabel_1))
netifcon
Label network interface objects (e.g. eth0
).
Statement definition:
(netifcon netif_name netif_context_id packet_context_id)
Where:
|
The |
|
The network interface name (e.g. |
|
The security context to be allocated to the network interface. A previously declared |
|
The security context to be allocated to packets. Note that these are defined but currently unused as the A previously declared |
Examples:
These examples show named and anonymous netifcon
statements:
(context context_1 (unconfined.user object_r unconfined.object low_low))
(context context_2 (unconfined.user object_r unconfined.object (systemlow level_2)))
(netifcon eth0 context_1 (unconfined.user object_r unconfined.object levelrange_1))
(netifcon eth1 context_1 (unconfined.user object_r unconfined.object ((s0) level_1)))
(netifcon eth3 context_1 context_2)
nodecon
Label network address objects that represent IPv4 or IPv6 IP addresses and network masks.
IP Addresses may be declared without a previous declaration by enclosing within parentheses e.g. (127.0.0.1)
or (::1)
.
Statement definition:
(nodecon subnet_id netmask_id context_id)
Where:
|
The |
|
A previously declared |
|
A previously declared |
|
A previously declared |
Examples:
These examples show named and anonymous nodecon
statements:
(context context_1 (unconfined.user object_r unconfined.object low_low))
(context context_2 (unconfined.user object_r unconfined.object (systemlow level_2)))
(ipaddr netmask_1 255.255.255.0)
(ipaddr ipv4_1 192.168.1.64)
(nodecon netmask_1 ipv4_1 context_2)
(nodecon (255.255.255.0) (192.168.1.64) context_1)
(nodecon netmask_1 (192.168.1.64) (unconfined.user object_r unconfined.object ((s0) (s0 (c0)))))
portcon
Label a udp, tcp or dccp port.
Statement definition:
(portcon protocol port|(port_low port_high) context_id)
Where:
|
The |
|
The protocol keyword |
|
A single port to apply the context, or a range of ports. The entries must consist of numerics |
|
A previously declared |
Examples:
These examples show named and anonymous portcon
statements:
(portcon tcp 1111 (unconfined.user object_r unconfined.object ((s0) (s0 (c0)))))
(portcon tcp 2222 (unconfined.user object_r unconfined.object levelrange_2))
(portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1))
(portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
(portcon tcp (2000 20000) (unconfined.user object_r unconfined.object (systemlow level_3)))
(portcon dccp (6840 6880) (unconfined.user object_r unconfined.object ((s0) level_2)))